Memprocfs Hunter: memory forensic wrapper

Memprocfs Hunter

This script is a memory forensic wrapper to MemProcFS for memory speed analysis. It includes several hunting modules and ELK import with pre-built hunting dashboards. It has cool features like metadata and import detection. Eventlog parsing. Yara and ClamAV to detect malicious files and memory injection detection. Happy Hunting 😉

The screenshots are generated using the memory dump from the Disobey 2020 Memory Forensics Workshop.

Important

If you run the eventlog parser module, the file is sometimes locked by powershell for ca 60sec before release. Just wait…

• Thanks to https://cqureacademy.com/ for their awesome tool CQEVTXRecovery.exe for fixing corrupted evtx files.

If you want to import the hunting dashboards to ELK you need to download and start the services on the local machine:

• https://www.elastic.co/downloads/elasticsearch
• https://www.elastic.co/downloads/kibana

Unzip and start the services:

• C:\elasticsearch-7.12.0-windows-x86_64\elasticsearch-7.12.0\bin\elasticsearch.bat
• C:\kibana-7.12.0-windows-x86_64\bin\kibana.bat

Run the MemProcFS_ELKImport to import the hunting dashboards

Download

Copyright (C) 2021 memprocfshunt